CVE-2023-24057: 
Java vulnerability analysis and mitigation

HL7 (Health Level 7) FHIR Core Libraries before version 5.6.92 contains a directory traversal vulnerability that allows attackers to extract files into arbitrary directories. The vulnerability was discovered and assigned CVE-2023-24057, with the initial disclosure date of January 22, 2023. The vulnerability affects the package-decompression feature when handling crafted ZIP or TGZ archives, specifically in scenarios involving prepackaged terminology cache, NPM package, or comparison archive processing (MITRE CVE, NVD).

The vulnerability stems from insufficient validation of zip file entries during the unpacking process, potentially allowing malicious writes outside the intended destination directory. The issue specifically affects multiple components including Publisher.java, WebSourceProvider.java, ZipFetcher.java, and IGPack2NpmConvertor.java. The CVSS v3.1 base score for this vulnerability is 9.1 (Critical), with attack vector: Network, attack complexity: Low, privileges required: High, user interaction: None, scope: Changed, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability can lead to arbitrary file writes outside of intended directories through directory traversal attacks. This could potentially allow attackers to manipulate or overwrite system files, leading to system compromise. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in HL7 FHIR Core Libraries version 5.6.92 and later. Users are strongly advised to upgrade to this version or newer to mitigate the risk. It's worth noting that an incomplete fix led to a subsequent vulnerability (CVE-2023-28465), which was later addressed in version 5.6.106 (NVD).